New Threat: FIDO Authentication Downgrade

News & Events 1669 view(s)

Researchers at Proofpoint have identified a new attack vector targeting the security of FIDO keys — one of the most reliable phishing-resistant authentication methods. Cybercriminals are now using specially crafted phishlets to force users to abandon FIDO2 in favor of less secure login methods such as SMS codes or authenticator apps, which are vulnerable to adversary-in-the-middle (AiTM) attacks.

FIDO2 Authentication Downgrade Attacks: New Phishing Technique Targets Secure Login.

The attack exploits compatibility gaps in certain browsers with FIDO2, particularly when working with Microsoft Entra ID. Threat actors deploy AiTM infrastructure disguised as an unsupported browser environment — for example, Safari on Windows. This is achieved through User-Agent spoofing, tricking the authentication system into “believing” that FIDO keys are unavailable and prompting the user to select an alternative login option.

The attack scenario begins with a phishing email or message containing a link generated via a modified FIDO downgrade phishlet. When the victim clicks the link, they are presented with a fake Microsoft authentication page that displays a simulated login error. The page visually matches the legitimate one, creating the illusion of a temporary system failure.

Once the victim opts for an alternative authentication method, attackers — leveraging a reverse proxy — intercept the entered credentials and session tokens. Stolen cookies can then be imported directly into the attacker’s browser, granting full account access without any additional authentication.

This method does not break FIDO’s cryptographic mechanisms; instead, it exploits the human factor and weaknesses in client-side implementations. The emergence of such attacks is the result of the evolution of phishing frameworks such as Evilginx, EvilProxy, and Tycoon, which initially failed against FIDO-protected accounts.


Recommendations:

  • Use browsers fully compatible with FIDO2.

  • Always verify that login is performed via your FIDO key, not an alternative method.

  • Be cautious of “authentication errors” and unexpected login redirects.


Internet browsers that support FIDO2.


The FIDO2 standard remains the gold standard for user authentication, providing strong phishing resistance when implemented correctly.

Sunday Monday Tuesday Wednesday Thursday Friday Saturday January February March April May June July August September October November December